Skip to content

build: add dependencies cooldown#660

Open
gsprochette wants to merge 2 commits into
mainfrom
build/add-dependencies-cooldown
Open

build: add dependencies cooldown#660
gsprochette wants to merge 2 commits into
mainfrom
build/add-dependencies-cooldown

Conversation

@gsprochette
Copy link
Copy Markdown
Collaborator

@gsprochette gsprochette commented May 12, 2026

Description

This PR adds a 1 week cooldown for dependencies to protect against compromised packages. This gives us a 1 week delay to get any news about compromised packages and

  • confirm that they have removed the compromised version, or
  • restrict the version until we have found a better solution.

Related Issue

Fixes #(issue number)

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

How Has This Been Tested?

I checked the uv pip install behavior for torch 2.11 dating back from march 23 (<2 months ago) with a no filter (is the version selected), 1 week filter (no change), 8 weeks filter (torch 2.10 is selected instead).

Checklist

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes

Additional Notes

begumcig
begumcig reviewed May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@begumcig begumcig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not deny not approve but a secret third thing (a question)

Comment thread pyproject.toml

[tool.uv]
index-strategy = "first-index"
exclude-newer = "1 week" # protection against compromised dependencies
Copy link
Copy Markdown
Member

@begumcig begumcig May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what do we mean by compromised here? Are we getting the all newer packages with a delay regardless?

Copy link
Copy Markdown
Member

@SaboniAmine SaboniAmine May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this is to avoid getting versions where the compromission isn't already identified.
For those which are identified as poisonned, if the patch isn't shipped in 1 week we can pin the max versions that is safe to use.

Copy link
Copy Markdown
Collaborator Author

@gsprochette gsprochette May 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Exactly as Amine said, "compromised" here means that there may be a security issue with the latest version of one of the dependencies. If this is the case, the cooldown introduces a 1 week delay giving the community time to spot it and patch it, or giving us the possibility to pin the version to a non-compromised one if the patch is not available after this one week period

@gsprochette gsprochette requested a review from begumcig May 19, 2026 10:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SaboniAmine SaboniAmine SaboniAmine approved these changes

@begumcig begumcig Awaiting requested review from begumcig

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gsprochette @begumcig @SaboniAmine